Federated learning (FL) is a collaborative learning paradigm allowing multiple clients to jointly train a model without sharing their training data. However, FL is susceptible to poisoning attacks, in which the adversary injects manipulated model updates into the federated model aggregation process to corrupt or destroy predictions (untargeted poisoning) or implant hidden functionalities (targeted poisoning or backdoors). Existing defenses against poisoning attacks in FL have several limitations, such as relying on specific assumptions about attack types and strategies or data distributions or not sufficiently robust against advanced injection techniques and strategies and simultaneously maintaining the utility of the aggregated model. To address the deficiencies of existing defenses, we take a generic and completely different approach to detect poisoning (targeted and untargeted) attacks. We present FreqFed, a novel aggregation mechanism that transforms the model updates (i.e., weights) into the frequency domain, where we can identify the core frequency components that inherit sufficient information about weights. This allows us to effectively filter out malicious updates during local training on the clients, regardless of attack types, strategies, and clients' data distributions. We extensively evaluate the efficiency and effectiveness of FreqFed in different application domains, including image classification, word prediction, IoT intrusion detection, and speech recognition. We demonstrate that FreqFed can mitigate poisoning attacks effectively with a negligible impact on the utility of the aggregated model.

翻译：联邦学习是一种协作学习范式，允许多个客户端在不共享训练数据的情况下联合训练模型。然而，联邦学习易受中毒攻击，攻击者通过将操纵后的模型更新注入联邦模型聚合过程，以破坏或摧毁预测（无目标中毒）或植入隐藏功能（有目标中毒或后门攻击）。现有联邦学习中毒攻击防御方法存在若干局限，例如依赖对攻击类型、策略或数据分布的特定假设，或对高级注入技术和策略的鲁棒性不足，同时难以保持聚合模型的实用性。为克服现有防御的缺陷，我们采用一种通用且完全不同的方法检测中毒攻击（包括有目标与无目标攻击）。提出FreqFed——一种新型聚合机制，将模型更新（即权重）转换至频域，从中识别蕴含权重充分信息的核心频率分量。这使得我们能够在客户端本地训练过程中有效过滤恶意更新，且不受攻击类型、策略及客户端数据分布的影响。我们针对不同应用领域（包括图像分类、词语预测、物联网入侵检测和语音识别）全面评估了FreqFed的效率与有效性。实验表明，FreqFed能在对聚合模型实用性影响极微的情况下有效缓解中毒攻击。